Blog

Here’s one of those areas where security and compliance stare at each other angrily across the table instead of skipping down the trail together singing, “Tra-la-la.” I was speaking to a friend of mine at a birthday party about this because guys don’t stay inside for the Hannah Montana makeover, we go outside and talk about beer, sports, and information security.

OK, SOME of us do that. So what if I like my toes painted?

Anyway, he was telling me that his company was taking the stance that private label cards, or those cards that have the company name on them instead of a Visa, MasterCard, American Express, Discover, or JCB logo on them, should be included in their PCI efforts. At first I misheard him and thought he said that his assessor was requiring those cards to be included. If that is the case, the assessor needs to go back to training. The only cards that are in scope for PCI are the ones that have one of the five founding members’ logos on them (EDIT: Or ones that conform to valid PANs from those card brands that may still not have the logo on the front. Thanks to Todd A for pointing that out!).

This is part of that security versus compliance argument. When I learned that his company was requiring them to be included into their PCI efforts, I applauded them. Here’s an example of a company that realizes that the only way to ensure their investment into the private label payment system will not be overcome by losses due to a breach is to include them in a PCI Assessment. Not only does that say something about the confidence in the assessment process, but it also says something about how much faith management has in the information security program.

There are, of course, many reasons why this may have happened. It could be as simple as management’s realization that the security program is short on people and resources. Therefore, they have decided to offload some of the tasks to an assessor performing some required compliance assessments. There are darker reasons why this may happen, but those will be left to your imagination.

For the record, non -member branded payment cards are considered out of scope for PCI. But beware, If you are managing your own private label card system, you should treat it with the same level of security (if not more) than you do your member branded cards.